Spoofing and Phishing Alert

In this post I like to introduce you to the Spoofing and Phishing Alert Zimlet(previously sa-alert). The goal of this Zimlet is to help users to identify spoofing and phishing and thus offer protection against it. While some parts of this Zimlet work automatically, it is not meant to be a fully automated plug-and-play solution and it is recommended you deploy it with a knowledgeable helpdesk/support staff to back it up.

This zimlet checks the result from Spam Assassin and alerts the user when certain tags are found. In addition it enforces the zimbraPrefShortEmailAddress setting to be FALSE as that allows the user to see the used email FROM address. The Zimlet also checks for suspicious characters in headers, like the NULL character etc. See also Mailsploit and bug 108709.

I deployed the Zimlet in an organisation with 700 users, and pointed the alertmail property to the helpdesk ticketing system, after a few weeks of increased incoming tickets and configuring the ignorelistReplyTo and ignorelistReturnPath the number of false positives dropped, and now the alert is really valuable to the user.